SSL Traffic Causes Next Generation Firewall Performance Problems

According to new research from NSS Labs, SSL decryption causes significant performance problems for next generation firewall (NGFW) devices.

On average, the seven NGFW devices tested by the company experienced a performance loss of approximately 74 percent with 512b and 1024b ciphers (the current industry standard), and approximately 81 percent loss with 2048b ciphers, which will become the industry standard by the end of the year.

The average number of transactions per second (TPS) also descreased significantly, according to NSS Labs -- an average of approximately 86.8 percent with 512b ciphers, 87.79 with 1204b, and 92.28 percent with 2048b.

Among vendors, Sourcefire had the highest rated TPS performance, Dell SonicWALL had the highest TPS performance with onboard SSL decryption, and Juniper had the least impact to throughput performance.

While SSL traffic currently comprises approximately 25-35 percent of a typical enterprise's network traffic, with the rise in use of HTTPS and with applications and search engines enabling SSL by default, NSS Labs says most enterprises should expect an average yearly increase of approximately 20 percent in SSL traffic.

"It is the ultimate irony that the increasing use of SSL in an attempt to make our online lives more secure actually reduces security on the corporate network by creating blind spots for corporate security infrastructures," the report states.

"Because industry standards are moving towards 2048b and SSL/TLS traffic is rapidly increasing, the ability to effectively support SSL/TLS decryption can no longer be swept under the rug," report author and NSS Labs research director John Pirc said in a statement. "If this thought process continues I foresee a huge issue in the future for enterprises trying to keep targeted persistent attacks at bay."